Hello Josh,
The server cert is is self signed and I beleive it's in DER format., I
tried running a command sort of like this but I don't see a BEGIN
CERTIFICATE and END.
openssl x509 -inform pem -in RootCA.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
79:ea:98:8c:f8:36:fe:88:45:76:fb:fe:4a:c7:e7:02
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=edu, DC=ncf, DC=internal, CN=internal-MSADCS1-CA
Validity
Not Before: Jun 1 06:24:07 2012 GMT
Not After : Jun 1 06:34:05 2017 GMT
Subject: DC=edu, DC=ncf, DC=internal, CN=internal-MSADCS1-CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:99:41:a8:c8:ee:fb:87:d7:b9:5e:3f:02:c3:9d:
53:7c:f9:23:10:0a:2a:af:6d:5c:9a:10:d9:ab:e8:
cc:56:e2:05:5e:00:a5:74:bf:54:df:f3:29:b4:d1:
cc:04:dc:39:93:07:d8:51:fc:62:fe:e5:c5:91:9e:
67:02:4b:d2:fc:cc:ba:f3:fc:61:76:aa:c9:17:13:
a8:c4:26:78:cc:7c:ad:a9:09:e9:41:b1:e4:0b:58:
72:3c:17:71:6c:c8:fc:7e:4e:35:4b:2d:cd:03:f6:
6e:bd:38:ed:93:17:68:87:14:28:dc:b5:79:6a:d4:
a6:cc:ea:39:f9:cc:b4:95:10:2d:f2:03:c2:4e:06:
c5:4f:06:ee:50:d5:12:5f:3a:37:1a:6d:c8:35:65:
f0:a0:81:87:ec:5e:0b:63:d4:a2:71:76:b1:92:a7:
52:dc:da:38:8b:76:f6:40:41:8d:0d:fd:55:ee:76:
50:c4:57:b7:12:d0:56:a1:5d:b4:38:05:8e:63:5c:
cf:b6:f9:ff:84:8a:f5:e0:ef:6e:30:cd:3a:4c:5d:
c3:57:c5:ce:ab:77:a0:13:04:f6:7e:e0:e4:a1:e5:
af:fa:7d:d7:77:15:b9:17:59:21:4f:fd:30:37:97:
bf:ef:e9:b8:74:47:3b:6b:38:94:66:e2:46:ac:bb:
30:fb
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.20.2:
...C.A
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
EC:A5:DB:79:15:97:AC:B0:E9:00:FC:F4:9D:CF:8B:C5:9F:94:2B:A4
1.3.6.1.4.1.311.21.1:
...
Signature Algorithm: sha1WithRSAEncryption
25:bf:ac:bd:84:7e:90:99:25:87:dc:3b:7e:2f:cf:27:2c:cd:
5c:15:e2:28:5f:f8:bf:d0:ef:4f:95:a1:41:52:40:be:4f:db:
3e:16:df:cf:c9:be:1d:d9:fb:6f:24:58:fd:0c:b7:6a:fa:5d:
aa:0c:94:05:c4:a9:c0:f4:cd:78:ae:01:ec:1e:00:ec:5e:9a:
55:75:e9:d4:fd:b4:fd:00:34:d6:c4:6b:47:fd:30:05:df:a7:
f3:c1:c8:b2:03:46:e7:7f:02:ad:23:0b:9b:df:ac:40:d6:2d:
e5:ff:b3:5a:25:b2:c0:c1:d0:fc:7f:b1:aa:68:b0:6f:72:ac:
63:3e:99:e5:e3:17:8b:7c:fb:9c:36:81:ba:43:89:3b:d0:b8:
37:d3:0e:ed:d9:5f:8c:dc:11:49:95:9d:02:ec:85:f5:a6:22:
73:cf:bf:91:f4:8e:7d:b2:8f:c5:fc:86:37:4d:3f:5e:96:f2:
0e:fd:7e:d7:da:53:43:4f:0e:50:0b:d6:7f:62:a8:16:e4:7b:
2f:ff:8c:7d:6c:f0:de:af:de:f9:9e:10:df:4c:36:8a:93:a1:
40:af:3b:56:5a:ae:32:a6:6e:40:c8:68:b5:79:93:46:41:e2:
44:00:1e:0f:a9:74:0a:b1:24:f0:bb:63:f2:f5:ca:c0:7c:da:
18:a1:b0:65
I don't get what I'm suppose to install that and as I mentioned above , I
don't see any BEGIN CERTIFICATE and END CERTIFICATE
On Wed, Nov 13, 2013 at 12:53 PM, Josh Thompson <[email protected]>wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> David,
>
> First, a little certificate background. With SSL, you have a Certificate
> Authority (CA) that has a certificate known as a "CA cert" (Certificate
> Authority Certificate) which is used to sign certificates that are
> installed
> on servers. These certificates are known as "server certs". The idea is
> that
> you have public certificate authorities (i.e. Versign) who publish their CA
> certs. Then, when you bring up a server that needs to use SSL, you have
> them
> sign your server certificate. When people access your server, they see
> that
> your server certificate is signed by a known and trusted CA, and therefore
> they trust you.
>
> Things get more complicated when you have a self-signed certificate. This
> is
> when you create your own CA cert that you use to sign a server cert. When
> someone accesses your server, they do not have a copy of the CA cert to
> verify
> that your server cert is valid. Most systems (such as web browsers) allow
> you
> accept and trust a server cert when you don't have the CA cert that was
> used
> to sign it. Unfortunately, the underlying libraries used by php for ldaps
> do
> not allow you to just accept the server cert.
>
> So, you need the PEM encoded CA cert that was used to sign the server cert
> that is installed on the ldap server. A PEM encoded file will be plain
> text
> with a "BEGIN CERTIFICATE" line at the top and an "END CERTIFICATE" line at
> the bottom. I've worked with several ldap server admins that aren't really
> sure which certificate I need. This can end up being tricky. The best
> clue
> I've been able to give them is to look at the issuer of the server cert.
> To
> find that, you need to run the openssl command you listed. Somewhere in
> the
> output, you should see a line with "Server certificate". Following it
> will be
> a "subject=" line and an "issuer=" line. The issuer= line will contain
> something kind of like the hostname of the CA in reverse order.
>
> I hope that helps.
>
> Josh
>
> On Wednesday, November 13, 2013 8:53:49 AM David DeMizio wrote:
> > Hello, I have ldap set up and going but I can't seem to get ldaps
> working.
> > I get the following error message below when running
> >
> >
> > openssl s_client -showcerts -CAfile
> > /etc/pki/tls/certs/ca-bundle.crt-connect your.
> > ldap.server.here:636
> >
> >
> > I would like to fix this issue so I can rule out any other issues I am
> > having. I also tried running
> >
> > vifs --listdc --server my vcenter server and it fails with the message
> > displayed at the following URL:
> >
> >
> http://probably.co.uk/vmware-perl-sdk-error-server-version-unavailable.html
> >
> > if it set export PERL_LWP_SSL_VERIFY_HOSTNAME=0 then the vifs
> > --listdccommand works. Could someone assist with how the
> > certitifcate needs to be installed? I have a certificate from the
> sysadmin
> > but I keep gettting the error below. I'm not to sure on the steps
> outlined
> > in the configuring the web front end for ldap authentication.
> >
> > f your LDAP server's SSL certificate is self-signed, your VCL web server
> > needs to have the root CA certificate that was used to sign the LDAP
> server
> > certificate installed. The PEM formatted certificate needs to be added to
> > the ca-bundle.crt file. On CentOS, the file is located at /etc/pki/tls
> > /certs/ca-bundle.crt. The hostname in the certificate must match the
> > hostname entered in the conf.php file further down. If your certificate
> > does not have the correct hostname in it, you can put an entry in
> > /etc/hosts for the hostname in the certificate.
> > can someone please clarify how this needs to get configured? Thank You
> > Error message when running the openssl command above:
> >
> > Expansion: NO
> > NE
> > SSL-Session:
> > Protocol : TLSv1
> > Cipher : AES128-SHA
> > Session-ID:
> > 683800009905729E42D39C584A91E4B72F4468392FB72A71FAA5AA630DF88439
> > Session-ID-ctx:
> > Master-Key:
> >
> E24AE8C7F770D863C92D9EEF81F11A76AABB54FBAF27F19328790913C3D08291909824D7FCA0
> > 372CE2DE4CA971BFB3C4 Key-Arg : None
> > Krb5 Principal: None
> > PSK identity: None
> > PSK identity hint: None
> > Start Time: 1384349719
> > Timeout : 300 (sec)
> > Verify return code: 21 (unable to verify the first certificate)
> >
> > David DeMizio
> > *Academic Systems Coordinator*
> > Office of Information Technology
> > New College of Florida
> > Phone: 941-487-4222 | Fax: 941-487-4356
> > www.ncf.edu
> >
> > On Thu, Nov 7, 2013 at 4:53 PM, David DeMizio <[email protected]> wrote:
> > > Hello,
> > >
> > > I'm having a difficult time configuring ldap authentication for the web
> > > login.I used the test script found on this mailing list and it seems to
> > > work with the following parameters.
> > >
> > > $server = 'serverA.internal.ncf.edu'; # ldap server hostname
> > > $masteracct = 'CN=VCL User,OU=Admin,DC=internal,DC=ncf,DC=edu'; # full
> > > DNof account with which to log in to ldap server
> > > $masterpass = 'mypassword'; # password for account
> > >
> > > $res = ldap_bind($ds, $masteracct, $masterpass);
> > > The above works fine in the test script which is also where it's
> failing
> > > in vcl/.ht-inc/authentication.php line 413. by the way, I modified
> > > ldapauth and authentication.php to use ldap:// instead of ldaps:// for
> > > the time being because ldaps is not working at all. I get invalid
> > > credentials line 413 of authentication.php is
> > >
> > > $res = ldap_bind($ds, $ldapuser, $passwd);
> > >
> > > my conf.php looks like this which might be the issue, I may need to
> > > put it in a different format.
> > > "server" => "serverA.internal.ncf.edu",
> > >
> > > "binddn" => "dc=internal,dc=ncf,dc=edu",
> > > "userid" => "uid=%s,dc=internal,dc=ncf,dc=edu", [email protected]'
> > > "unityid" => "samAccountName", # ldap field that contains the
> user's
> > >
> > > login id
> > >
> > > "firstname" => "givenname", # ldap field that contains the
> user's
> > >
> > > first name
> > >
> > > "lastname" => "sn", # ldap field that contains the
> user's
> > >
> > > last name
> > >
> > > "email" => "mail", # ldap field that contains the
> > >
> > > user's email address
> > >
> > > "defaultemail" => "@example.com", # if for some reason an email
> > >
> > > address may not be returned for a user, this is what
> > >
> > > # can be added to the user's login id to send mail
> > >
> > > "masterlogin" => "vcluser", # privileged login id for ldap
> server
> > > "masterpwd" => "mypassword", # privileged login password for
> > > ldapserver>
> > > Thanks
> - --
> - -------------------------------
> Josh Thompson
> VCL Developer
> North Carolina State University
>
> my GPG/PGP key can be found at pgp.mit.edu
>
> All electronic mail messages in connection with State business which
> are sent to or received by this account are subject to the NC Public
> Records Law and may be disclosed to third parties.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.19 (GNU/Linux)
>
> iEYEARECAAYFAlKDvK8ACgkQV/LQcNdtPQMr6ACeNx1u3/phmfC5VfaUbT5gfXmb
> FR8AnRtlPqysXQrLXTCrz1umPEYYRPIK
> =c3FQ
> -----END PGP SIGNATURE-----
>
>
